Hello! On Mon, Nov 19, 2018 at 09:47:32AM +0000, Rob Fulton wrote:
> Hi, > > I'm trying to work out the best way to setup the proxy_pass url and > which variables to use. Initially we were using proxy_pass to proxy to a > single https URL, we used a rewrite to change https://hostname/ to > https://hostname/index.html. > > We've recently discovered issues due to the single DNS query nginx > performs so moved to using a variable for the hostname, this required us > to set proxy_pass to the full requests url. We started with : > > proxy_pass ${content_server}content$request_uri > > This worked as expected but our rewrite rules failed to work, looking at > the documentation, this is seems to be expected since this is the > request pre-processing by nginx. > > We then moved to : > > proxy_pass ${content_server}content$uri > > This works fine with the rewrite rules but I noticed a comment on > StackOverflow stating this opens you up to header injection > vulnerabilities. Is there a variable / combination of variables that > allow you to preserve rewrites without the potential security issues, or > a better way of doing this ensuring we can use variables in the > proxy_pass hostname? If you want to use variables in the proxy_pass and at the same time want to preserve effect of nginx internal URI changes such as due to rewrites, consider using an empty URI compontent in the proxy_pass. For example: set $backend "http://example.com";; proxy_pass $backend; -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
